You have just added a Linux “capability” to the ping binary, which has given ping the rights to open a raw socket, which has allowed it to ping the target system.

Linux Capabilities

Linux Capabilities provide fine-grained control over the sorts of privileged activities a process or thread can perform. Traditionally there have been only two levels of privilege: root and non-root. A process executing as root, or super user, could do most things on the system. A non-root process had control only over the elements that it owned or was granted access to.

In the past, before Capabilities, ping and other system tools were installed with setuid root permissions, like this:

$ ls -l /bin/ping
-rwsr-xr-x 1 root root 44168 May 7 2014 /bin/ping

The “s” in the permission string represents the setuid bit, and it means that ping will be executed with root level permissions, even if invoked by a non-root user. Ping needs higher privileges to work properly. Here are some other programs installed as setuid root on Red Hat 6.5, by default:

Dangers of Setuid Programs

The setuid mechanism works well and is quite widespread. However, it represents poor security. A process running as setuid obtains far greater permissions than it actually needs. Ping needs to open a raw network socket, and root rights conferred through setuid allow it to do that, but they also give ping many other powers which it doesn’t need. If the ping binary were overwritten by a hacked version, for example, malicious code could run with full superuser privileges.

That is one reason why capabilities are more desirable than simple setuid solutions, and are being used more widely with each Linux release.

Capability Sets

Above, a capability called cap_net_raw was given to the ping binary. Cap_net_raw is one of a large number of available capabilities, about 38 according to the capabilities man page.

Each thread, or process, has three sets of capabilities associated with it: Permitted, Inheritable and Effective. In the example above, the “+p” in our “setcap cap_net_raw+p /bin/ping” command added the cap_net_raw capability to the ping binary’s Permitted capability set, meaning that a subsequent ping process (or thread) would obtain the corresponding rights. Capability sets, as they belong to files and threads, are quite well explained in the above man page.

CAP_NET_RAW

One question. If ping needs this special capability to work, or previously the setuid stuff, why don’t other network tools need it, like ssh, ftp, wget and so on ? And for that matter, web browsers like Firefox and Safari ? Don’t they have to open network sockets too? Yes they do, but not in the same way.

It is as expected. SOCK_STREAM creates a full transport-oriented TCP socket connection for extended communication. SOCK_RAW on the other hand, is just a pass through to the lower levels of IP, allowing ping to send out ICMP packets directly.

Therefore, CAP_NET_RAW gives the ability to open a socket of type SOCK_RAW, but is not needed for SOCK_STREAM sockets.

Ping in Various Linux Disros

Ping is a useful tool for users, administrators and developers. It doesn’t really make sense that by default, only root can execute it. Some Linux disros seem to agree, and have given ping necessary Capability by default. In older releases, capabilities are often installed in the kernel but not set up for ping.

Hi bulbuntu. Something is not right about the ping commands shown in your comment. Your ping programme (/bin/ping) is already setuid to root, as shown by the permissions. Moreover, you are invoking ping as the root user, as indicated by the hash prompt. Therefore the ping process should be running as root, and it is hard to see why you would get an “Operation not permitted” error in this case.

Hi Yanzhoa, it is slightly difficult to check now. Later versions of Raspbian, based on Debian 9, seem to have reverted to using setuid by default. Ping thus works out of the box. Slightly annoying though, as it is a backward step for security.